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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1 . (Currently Amended) A method comprising: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having a corresponding one of the embedded agents, each 
embedded agent to store the symmetric cryptographic key in a storage accessible to the 
embedded agent and not directly accessible to a host processor on the clien t having the 
embedded agent : and 

providing access to an encrypted traffic flow in a network to one of the clients if the 
one of the clients is authenticated with the key, the providing including 

the one of the clients receiving detecting a message requesting a secure 

network connection for the encrypted traffic flow, 

in response to detecting the message, the embedded agent of the one of the 

clients verifying, prior to any allowing of the requested secure network connection. 

th e e mb e dd e d ag e nt of th e on e of th e cli e nts v e rifying that a platform of the one of 

the clients is not in a compromised state at a time before providing access to the 

encrypted traffic flow, and 

in response to the message requesting the socuro connection and the verifying, 

the embedded agent of the one of the chents providing the key and an assertion that 

the one of the clients is not compromised to a verification entity on the network. 

2. (Previously Presented) A method according to claim 1 , wherein provisioning 

the key through the embedded agents further comprises provisioning the key through an 
embedded agent having network access via a network link not visible to a host operating 
system (OS) running on the one of the clients. 

3 . (Previously Presented) A method according to claim 2, wherein providing 
access to the traffic fiow if the one of the clients is authenticated comprises the embedded 
agent authenticating the one of the clients over the network line not visible to the host OS. 
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4. (Original) A method according to claim 1 , wherein providing access to the traffic 
flow further comprises providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

5. (Previously Presented) A method according to claim 1, further comprising 
updating at a client the symmetric cryptographic key provisioned across the multiple clients 
through a public and private key exchange with a public and private key associated with the 
client. 

6. (Canceled). 

7. (Previously Presented) A method according to claim 1, further comprising the 
embedded agent indicating to a remote network device if the one of the clients is 
compromised. 

8. (Previously Presented) A method according to claim 1 , further comprising the 
embedded agent foreclosing network access to the one of the clients if the one of the clients 
is compromised. 

9. (Original) A method according to claim 1 , fiirther comprising the embedded 
agent performing crj^tographic fimctions on data with the key to authenticate data with the 
key. 

10. (Original) A method according to claim 1, further comprising the embedded 
agent including a derivative of the key in a header of data to be transmitted to authenticate 
the data with the key. 

1 1 . (Currently Amended) An apparatus comprising: 

a host platform on the apparatus including a host processor; 
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a secure memory not visible to applications and an operating system (OS) running on 
the host platform; and 

an embedded computational device communicatively coupled with the host platform, 
the embedded device to have a network link transparent to the host processor and the OS, the 
embedded device to manage a cryptographic key shared among the apparatus and network 
endpoints to be used to communicate with a server over the network, to receive the 
cryptographic key on the transparent link and authenticate the apparatus, and to store the 
cryptographic key in the secure memory, the embedded computational device further to 
receive detect a request for a secure network connection providing access to an encrypted 
traffic flow in the network, the embedded computational device fiirther to verify, in response 
to detecting the request for the secure network connection and prior to any allowing of the 
requested secure network connection, that the host platform is not in a compromised state at a 
time before providing access to the encrypted traffic flow, and in response to th e r e qu e st for 
the secure connection and the verifying, the embedded computational device further to 
provide the cryptographic key and an assertion that the apparatus is not compromised to a 
verification entity on the network. 

12. (Original) An apparatus according to claim 11, wherein the embedded device to 
have transparent network link comprises the embedded device to have a network connection 
not accessible by the host platform, the link to comply with the transport layer security (TLS) 
protocol. 

1 3 . (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
have a transparent network link comprises the embedded device to have a network 
connection not accessible by the host platform, the link to comply with the secure sockets 
layer (SSL) protocol. 

14. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to verify the identity of the 
apparatus to a network switching device with the key, the key to also be used by the network 
endpoints to verify their respective identities to the network switching device, and the 
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network switching device to decrj^t encrypted traffic fi-om the apparatus and the network 
endpoints. 

1 5 . (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to hash traffic to be transmitted 
with the key. 

1 6. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to perform cryptographic services 
with the key on traffic to be transmitted. 

17. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to include a derivative of the key 
in a header of traffic to be transmitted. 

18. (Original) An apparatus according to claim 11, fiirther comprising a second 
embedded computational device, the second embedded device integrated on the host 
platform, to verify the security of the host platform. 

19. (Previously Presented) An apparatus according to claim 1 8, wherein the first 
embedded device to not authenticate the apparatus if the second embedded device determines 
the host platform is not secure. 

20. (Original) An apparatus according to claim 18, further comprising a bi- 
directional private bus between the first and second embedded devices. 

21 . (Original) An apparatus according to claim 1 1 , further comprising a counter 
mode hardware cryptographical module on the host platform to encipher traffic with the 
cryptographic key and further provide a counter mode enciphering of the enciphered traffic. 

22. (Currently Amended) A system comprising: 
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a host platform including a host processor; 

a digital signal processor (DSP) coupled with the host platform; and 
an embedded chipset including a secure key storage module to perform cryptographic 
key management of a shared cryptographic key with the secure key storage module and a 
private communication channel accessible to the chipset and not the host platform, and to 
access an image of the host platform on a flash accessible to the DSP and not to the host 
processor to determine the integrity of the host platform, the shared cryptographic key to be 
used by the host platform to encipher data and other networked devices within a virtual 
private network, wherein the embedded chipset to r e c e iv e detect a request for a secure 
network connection providing access to an encrypted traffic flow in the virtual private 
network, the embedded chipset further to verify, in response to detecting the request for the 
secure network connection and prior to any allowing of the requested secure network 
connection, that the host platform is not in a compromised state at a time before providing 
access to the encrj^ted traffic flow, and in response to the request for the secure connection 
a»d the verifying, the embedded chipset further to provide the cryptographic key and an 
assertion that the apparatus is not compromised to a verification entity on the virtual private 
network. 

23. (Original) A system according to claim 22, wherein the embedded chipset to 
perform cryptographic key distribution with the private communication channel comprises 
the embedded chipset to perform cryptographic key distribution with a communication 
channel complying with the transport layer security (TLS) protocol. 

24. (Previously Presented) A system according to claim 22, wherein the embedded 

chipset comprises an embedded controller agent and an embedded firmware agent, the 
firmware agent to perform the verification that the host platform is not in the compromised 
state, and the controller agent to operate the private communication channel and manage 
access by the host platform to secure network connections. 

25. (Previously Presented) A system according to claim 24, further comprising a 
bi-directional private communication path between the embedded controller agent and the 
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embedded firmware agent to allow the agents to interoperate outside a context of the host 
platform. 

26. (Original) A system according to claim 22, further comprising the embedded 
chipset to hash traffic to be transmitted with the key to authenticate the system to one of the 
other networked devices. 

27. (Original) A system according to claim 22, further comprising the embedded 
chipset to perform cryptographic services with the key on traffic to be transmitted to 
authenticate the system to one of the other networked devices. 

28. (Original) A system according to claim 22, further comprising the embedded 
chipset to include a derivative of the key in a header of traffic to be transmitted to 
authenticate the system to one of the other networked devices. 

29. (Currently Amended) An article of manufacture comprising a tangible machine 
accessible medium having content stored thereon to provide instructions to cause a machine 
to perform operations including: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having one of the embedded agents, each embedded agent to 
store the symmetric cryptographic key in a storage accessible to the embedded agent and not 
directly accessible to a host processor on the client; and 

providing access to an encrypted traffic flow in a network to one of the clients if the 
one of the clients is authenticated with the key, the providing including 

the one of the clients receiving detecting a message requesting a secure 

network connection for the encrypted traffic flow, 

in response to detecting the message, the embedded agent of the one of the 

clients verifying, prior to any allowing of the requested secure network connection. 

th e e mb e dd e d ag e nt of th e on e of th e cli e nts v e rifying that a platform of the one of 

the clients is not in a compromised state at a time before providing access to the 

encrypted traffic flow, and 



-7- 



Application No. 1 0/809,3 1 5 

Supplemental Response to Final OfBce Action mailed July 6, 2009 



Atty. Docket No. 42P 19299 
Examiner Schmidt, Kari L. 



in response to the message requesting the secure connection and the verifying, 
the embedded agent of the one of the cUents providing the key and an assertion that 
the one of the clients is not compromised to a verification entity on the network. 

30. (Previously Presented) An article of manufacture according to claim 29, 
wherein the content to provide instruction to cause the machine to perform operations 
including provisioning the key through the embedded agents further comprises the content to 
provide instruction to cause the machine to perform operations including provisioning the 
key through an embedded agent having network access via a network link not visible to a 
host operating system (OS) running on the one of the clients. 

3 1 . (Previously Presented) An article of manufacture according to claim 30, 
wherein the content to provide instruction to cause the machine to perform operations 
including providing access to the traffic fiow if the one of the clients is authenticated 
comprises the content to provide instruction to cause the machine to perform operations 
including authenticating the one of the clients with the embedded agent over the network line 
not visible to the host OS. 

32. (Original) An article of manufacture according to claim 29, wherein the content 
to provide instruction to cause the machine to perform operations including providing access 
to the traffic flow further comprises the content to provide instruction to cause the machine to 
perform operations including providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

33. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
updating at a client the symmetric cryptographic key provisioned across the multiple clients 
through a public and private key exchange with a public and private key associated the client. 
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35. (Previously Presented) An article of manufacture according to claim 29, further 
comprising the content to provide instruction to cause the machine to perform operations 
including indicating with the embedded agent to a remote network device if the one of the 
clients is compromised. 

36. (Previously Presented) An article of manufacture according to claim 29, further 
comprising the content to provide instruction to cause the machine to perform operations 
including foreclosing with the embedded agent network access to the one of the clients if the 
one of the clients is compromised. 

37. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
performing cryptographic functions on data with the key to authenticate data with the key. 

38. (Original) An article of manufacture according to claim 29, fiirther comprising 
the content to provide instruction to cause the machine to perform operations including 
placing a derivative of the key in a header of data to be transmitted to authenticate the data 
with the key. 
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